HBGary’s open letter: full of denials that don’t hold water

HBGary has finally broken its silence about the Anonymous attacks and their …

HBGary, the security firm that saw its servers hacked and its e-mails released after its HBGary Federal offshoot angered the Anonymous hive, published a rather peculiar open letter this past Friday in an effort to address the "large amount of misinformation reported in the press." But the letter makes some questionable claims of its own.

The unsigned letter outlines the basics of the attack and asserts that HBGary's internal systems remained safe and uncompromised. To ward off future attacks, the letter also claimed that HBGary's website, which was hacked using a basic security flaw, and its e-mail system, which fell victim to weak, re-used passwords, were now back in operation with "even stronger cyber defense mechanisms."

HBGary says that the company's concern in the immediate aftermath was to determine if customers had been affected by the intrusion. On receipt of legal advice, the company's policy was to refrain from commenting on the e-mails, though it acknowledges that this may have led to the amount of "misinformation" floating around.

Deny everything

The main thrust of the letter is an effort to distance HBGary from the entire hack and its subsequent aftermath. Five specific claims are made: that HBGary and HBGary Federal are distinct, with separate "management, employees, and missions"; that HBGary was not involved in the research performed by then-HBGary Federal CEO Aaron Barr and was merely caught in the crossfire; that HBGary did not develop Stuxnet; that HBGary does indeed sell software to the US government and is proud of that fact; and finally, that HBGary's rootkit research is solely to help improve its own security products.

While the claims about Stuxnet and software sales to the US government are uncontentious, the others are more than a little surprising. For a start, some of the claims appear to be contradicted by the extensive e-mail dumps. Though HBGary representatives have implied that some of the e-mails may have been tampered with, the prodigious quantity of mail precludes any substantial effort to create fraudulent mail (and the company never responded to our request to identify any instances of such fraud).

While HBGary Federal was legally a distinct company (albeit one with some overlap in ownership), both the hacking methodology and e-mails subsequently published make clear that this distinction was far less clear in practice.

The hack itself revealed that HBGary and HBGary Federal used a single Google Apps account for its e-mail. Former HBGary Federal CEO Aaron Barr, whose actions provoked the hack in the first place and whose password was cracked, had administrative access to both HBGary and HBGary Federal mails. The e-mail accounts of HBGary Federal employees used the hbgary.com domain, not hbgaryfederal.com. HBGary Federal COO Ted Vera had access to a Linux server used by HBGary for providing support to its customers. And the e-mails themselves show that Aaron Barr was in regular correspondence with HBGary CEO Greg Hoglund. The two also worked together to decide how best to word press releases to promote HBGary Federal's work to uncover Anonymous.

Indeed, from day one, the lack of separation between the companies was clear. Greg Hoglund's e-mail introducing new hires Aaron Barr and Ted Vera had the subject "Welcome Aaron Barr and Ted Very to the HBGary management team!"—hardly supporting the open letter's claim of "completely different management."

From: Greg Hoglund <greg@hbgary.com>
To: all@hbgary.com
Subject: Welcome Aaron Barr and Ted Vera to the HBGary management team!
Date: 2009-11-23
I am extremely excited to announce that Aaron Barr and Ted Vera have joined
the HBGary team! Ted and Aaron will operate and lead HBGary Federal, a
wholly owned subsidiary of HBGary, with a focus on contracting in the
government space. They are very experienced and most recently built a
$10 million/year business at Northrop Grumman. Both have won and lead
multi-million dollar development projects and managed substantial teams.
We have known Aaron and Ted for more than 5 years. These two are A+ players
in the DoD contracting space and are able to “walk the halls” in customer
spaces. Some very big players made offers to Ted and Aaron last week, and
instead they chose HBGary. This reflects extremely well on our company.
"A" players attract "A" players. Aaron will take position as CEO of HBGary
Federal, and will be operating out of the DC area. Ted will take position as
President and COO of HBGary Federal, and will be operating out of Colorado
Springs. Welcome aboard!
-Greg Hoglund
CEO, HBGary, Inc.

So while the companies were legally distinct, their management and employees plainly, in practice, were not "completely different." At the very least, HBGary senior management oversaw and were involved with HBGary Federal's operations, and HBGary Federal employees had access to HBGary systems.

Next, the letter specifically distanced HBGary from Aaron Barr's research. The investigation into Anonymous was entirely HBGary Federal's doing, it says, and HBGary was an innocent bystander, caught in the crossfire when Anonymous sought retribution. Prior to the entire issue blowing up spectacularly in their faces, however, nobody from HBGary wanted to be distanced from the research.

From: Aaron Barr <aaron@hbgary.com>
To: Penny Leavy <penny@hbgary.com>, Greg Hoglund <greg@hbgary.com>
cc: Ted Vera <ted@hbgary.com>
Subject: BSides Talk
Date: 2011-01-22
Hey Guys,
I wanted to inform you of my research and content for the talk at Bsides.
I have focused some of my research and talk around the anonymous group, a
supposed loose collection of freedom of speech enthusiasts, anarchists, etc.
They used to target the RIAA with DDOS attacks now they have taken up the
cause of wikileaks, tunisia, venezuela, algeria, etc. They have received
a decent amount of press about this.
I am enumerating their communications infrastructure and plan to brief this
as well as outing many of the major players within the group. This will
likely make HBGary Federal, and likely HBGary a target.
I have developed a persona that is well accepted within their groups and want
to use this and my real persona against eachother to build up press for the
talk. Pre-talk plan.
I am going to tell a few key leaders under my persona, that I have been given
information that a so called cyber security expert named Aaron Barr will be
briefing the power of social media analysis and as part of the talk with be
dissecting the Anonymous group as well as some critical infrastructure and
government organizations
I will prepare a press sheet for Karen to give to Darkreading a few days
after I tell these folks under persona to legitimize the accusation. This
will generate a big discussion in Anonymous chat channels, which are attended
by the press. This will then generate press about the talk, hopefully
driving more people and more business to us.
But it will also make us a target.
Thoughts?
Aaron
--------------------------------------
From: Greg Hoglund <greg@hbgary.com>
To: Aaron Barr <aaron@hbgary.com>
Subject: Re: BSides Talk
Date: 2011-01-23
Well,
I don't really want to get DDOS'd, so assuming we do get DDOS'd then
what? How do we make lemonade from that?
-Greg

HBGary may not have been aware of the full extent of Aaron Barr's investigation, but completely in the dark they were not; Aaron Barr outlined his research to Greg Hoglund and Penny Leavy, Hoglund's wife and co-owner, on January 22nd, two weeks before the eventual hack. Though Hoglund expressed concern that the research might result in a denial-of-service attack against the company, he showed no qualms about either the subject matter of the research or Barr's investigative methods. When Barr's research started to get some publicity—notably, a story in the Financial Times—Hoglund was quick to praise Barr and leverage the media coverage to promote the companies.

HBGary may not have known everything that Aaron Barr did, but HBGary Federal was plainly operating with the backing of the parent corporation.

Ethical concerns

Perhaps more significantly, however, the open letter doesn't really distance the company from some of the more alarming or damaging revelations. The letter admits that HBGary sells software to the US government, and performs some amount of in-house rootkit development, but leaves the more substantial claims unaddressed. The e-mail trail showed that HBGary was pitching its rootkits to defense contractors, and writing what can only be described as malware; hostile programs that would exploit security flaws and install rootkits.

The 12 Monkeys rootkit

The letter claimed that this malware had never been used to attack "foreign countries," and that HBGary knew of no instance of production deployment. Instead, these novel rootkits were intended merely to "understand the offensive nature of our foes." Unfortunately, that doesn't really make much sense as an excuse. The company boasted to potential buyers of its rootkits how they went undetected by standard anti-malware software, a feature only useful if the software is going to be used in the wild. Greg Hoglund, in describing the plans for the HBGary Magenta rootkit, made clear that, in his view, nothing like it existed; this was no mere copycat of existing in-the-wild rootkits, but something new and unique. If Hoglund's assessment is accurate, the insight such a rootkit would give into HBGary's "foes" is negligible—it was technology that those foes hadn't invented and weren't using. This would be useful for attacking, but much less useful for defending.

HBGary's Magenta project

HBGary may very well not actually know about real deployments, but that's missing the point. The concern over its actions were not that the company had explicit, detailed knowledge of actual hacks using its tools—of course the government wouldn't tell HBGary if this were the case. Rather, they concerns were that the company was developing these undetectable rootkits, selling (or at least, attempting to sell) them to defense contractors, at which point they could be sold to essentially any agency for any purpose—they could just as well be used to spy on domestic dissidents as they could on foreign powers.

From: Bob Slapnik <bob@hbgary.com>
To: Greg Hoglund <greg@hbgary.com>, Penny C. Hoglund <penny@hbgary.com>
Subject: Need 12 Monkeys price
Date: 2009-04-14
Greg,
Ben [redacted]'s customer may have $200k to spend. Ben wants us to give him
a *price* to sell the software as a license where we retain the IP. The work
would be firm fixed price (not hourly). This will not be viewed as contract
work -- it will be viewed as our selling a product.
We should only take the work if we believe we can succeed and do it in 2
months. It looks like, if awarded, our work will start in about 2 months.
12 Monkeys Details. Ben needs price quote for a complete tool that
- finds MS Office files using the XRK technique to exfiltrate files
- uses the 12 Monkey technique to exist and hide.
- Runs on MS Windows XP sp2 and Office 2003.
- both Client and Server side.
Ben wants us to retain the IP so he can sell it to more customers.

Concluding the letter, HBGary bemoans the state of the press, complaining of low standards of fact-checking and a failure to verify information—something that it blames on the "blog-o-sphere." This comes after admitting earlier in the letter that the company's own refusal to communicate with the press (something that Ars Technica experienced firsthand) was likely to blame in part for that incorrect information. Though some of the speculation surrounding the case was indeed wild (see: Stuxnet), there was little reason to make things up; the facts alone were remarkable enough.

The open letter is a strange thing indeed. If HBGary's aim is to rehabilitate its image, flat denials of the facts revealed in the airing of its dirty laundry are unlikely to be effective. Claiming total ignorance and blaming Aaron Barr and HBGary Federal for everything—in contradiction of the e-mail evidence—is unconvincing, and failing to even acknowledge the serious ethical concerns about the way the business operated means that question marks over the company's conduct remain. But perhaps the letter simply reflects a corporate mindset that ethical constraints are irrelevant so long as one doesn't get caught. On that front, the letter is quite reassuring.